As I am self-hosting a couple of services, mainly for keeping my data for myself (Sorry Google, Facebook), I tried to build a "production-grade docker image". Here's my attempt and what I learnt along the way.

Radicale

The first service I dockerized is Radicale, a calendar/contact server (CalDav/CardDav).

Easy: Use a smaller base image

I did not set a specific image version (eg. python:3.5.2-alpine) in the hope that it could ease upgrades and
that a rebuild could be automatically fired by Docker hub using a configured dependency. Forget repeatable builds !

Let's go for python:3-alpine:

FROM python:3-alpine
RUN pip install radicale
CMD ["radicale"]

Easy: Process management

It seems a good practice to use a process manager to handle PID 1 and reaping subprocesses.
As I don't know if Radicale handles signals properly, nor if it would create new subprocesses and handle them well,
let's use a process manager (this is more cargo-cult than scientific evidence).

Hard: Volumes and permission

Next best practices: Never Run As Root.
We don't do that for hosted services since decades, so don't do that inside containers,
especially publicly opened containers. The Docker Security team does not recommend it either
(https://www.youtube.com/watch?v=LmUw2H6JgJo).

That means: use the USER instruction or switch user when the container is run.
Combined with a volume, that's were I started having permission problems.

What seems to occur is that mounting a host volume (eg. docker run ... -v /path:/data/radicale)
overwrites the permission in the container. What was owned by radicale:radicale became owned by root:root in the container.